Spring oauth2 指定受保护和不受保护的资源
Posted
技术标签:
【中文标题】Spring oauth2 指定受保护和不受保护的资源【英文标题】:Spring oauth2 specify protected and unprotected resources 【发布时间】:2015-03-19 09:14:04 【问题描述】:我已经在我的 Spring MVC Web 应用程序中实现了 oauth2。现在我已经保护和未受保护的资源,例如我所有的网络服务和帐户(用于密码重置、电子邮件验证等)。我当前的 spring 安全性正在阻止所有使用访问令牌的请求,即使我指定 Accounts 可以完全访问。有人可以纠正如何定义受保护和不受保护的资源。
网页配置
<!-- Spring Root -->
<context-param>
<param-name>contextClass</param-name>
<param-value>
org.springframework.web.context.support.AnnotationConfigWebApplicationContext
</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>portal</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>SpringDispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextClass</param-name>
<param-value>
org.springframework.web.context.support.AnnotationConfigWebApplicationContext
</param-value>
</init-param>
<!-- <init-param> <param-name>contextConfigLocation</param-name> <param-value>portal</param-value>
Modify this one to get clean URL without portal by plain "/" </init-param> -->
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>SpringDispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
oAuth2 网络安全
<!-- Definition of the Authentication Service -->
<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
<anonymous enabled="false"/>
<http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
<!-- include this only if you need to authenticate clients via request parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>
<access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>
<http pattern="/Accounts" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/Accounts" access="IS_AUTHENTICATED_FULLY"/>
<anonymous enabled="true"/>
<http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
<!-- include this only if you need to authenticate clients via request parameters -->
<!-- <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>
<access-denied-handler ref="oauthAccessDeniedHandler"/> -->
</http>
<!-- Protected resources -->
<http pattern="/**"
create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false"/>
<intercept-url pattern="/**"
access="ROLE_USER"/>
<custom-filter ref="resourceServerFilter"
before="PRE_AUTH_FILTER"/>
<access-denied-handler
ref="oauthAccessDeniedHandler"/>
</http>
【问题讨论】:
【参考方案1】:我通过将 /API/ControllerName 添加到我的所有请求映射并将受保护的资源更改为 /API/** 来修复它
@Controller
@RequestMapping(value = "/API/ProductManagement")
public class ProductManagementController extends BaseController
//Implementation
oAuth2 网络安全
<http pattern="/Accounts" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/Accounts" access="IS_AUTHENTICATED_FULLY"/>
<anonymous enabled="false"/>
<http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
<!-- include this only if you need to authenticate clients via request parameters -->
<!-- <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>
<access-denied-handler ref="oauthAccessDeniedHandler"/> -->
</http>
<!-- Protected resources -->
<http pattern="/API/**"
create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false"/>
<intercept-url pattern="/**"
access="ROLE_USER"/>
<custom-filter ref="resourceServerFilter"
before="PRE_AUTH_FILTER"/>
<access-denied-handler
ref="oauthAccessDeniedHandler"/>
</http>
【讨论】:
以上是关于Spring oauth2 指定受保护和不受保护的资源的主要内容,如果未能解决你的问题,请参考以下文章
Spring Security SAML 可信证书条目不受密码保护
okta oauth2 Spring security 所有受保护的页面重定向到登录
如何在 Spring 中使用 OAuth2 和 JWT 令牌代表特定用户调用受保护的资源?